Defining OCR Patient Access Guidelines
In the September issue of the Journal of AHIMA, some of my colleagues and I authored an article outlining the Office for Civil Rights’ (OCR) patient access guidelines. Providing individuals and their designated personal representatives easy access to their health information is prescribed by the HIPAA Privacy Rule, and is one of the OCR’s most important mandates. While the OCR’s guidance did not change HIPAA regulations, it is recommended procedure for audits.
The OCR is developing further clarifications and guidance to clear up challenges and confusion surrounding their frequently asked questions (FAQs) published in early 2016. During AHIMA’s 14th Annual Hill Day and Leadership Symposium, Deven McGraw, deputy director of the OCR, stated the initial clarification published on the OCR website still contained gray areas, stemming from the OCR’s desire to give patients more access to their health information, while promoting more engagement with health outcomes.
Patient requests for health information vs. third party requests
One area of confusion is the difference between a patient’s right to request health information and third party Release of Information (ROI) requests requiring the patient’s signed authorization.
Requests for copies of Protected Health Information (PHI) made by patients and their personal representatives – individuals with authority under applicable law to make healthcare decisions on behalf of the patient – do not need accompanying HIPAA-compliant authorizations. Only requests made by third parties must be accompanied by HIPAA-compliant authorizations.
Covered Entities (CEs), however, can require patients and their personal representatives to submit their requests for copies of PHI in writing, though they may not require patients and personal representatives to come onsite to their facility to request in person, nor can CEs require patients to submit their requests via web portal or through the mail. CEs can also require patients and their personal representatives to complete a designated form when requesting health information, “provided use of the form does not create a barrier to or unreasonably delay” patient access to PHI. Additionally, it is not recommended for providers to ask patients for a description of purpose regarding the information requested; while it is not prohibited to ask, denying access based on the answer is prohibited.
If a patient or their personal representative wants to direct a CE to send copies of the patient’s PHI to a designated third party, the request must be in writing, signed by the patient or the personal representative, and clearly identify the designated recipient and where to send the PHI.
Other dos and don’ts of patient access were summarized in the Journal of AHIMA article.
To learn more on this topic, please register for MRO’s upcoming webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” scheduled for September 7, 2016. AHIMA has pre-approved this free webinar for one continuing education credit in the privacy and security domain. Register today.